In a monthly automated scan, a dependency of this library showed a security vulnerability.
Tracing the dependency tree, it looks like pycognito -> python-jose[cryptography] -> ecdsa. Normally I would look to the source of the issue for a fix, but it seems that:
It's particularly unfortunate since python-jose claims that the library in question isn't even in use for python-jose[cryptography]. Alas, for reporting reasons, my team will need to address it regardless.
I was hoping you could provide me some clarity on whether or not you intend to address the vulnerability within the scope of this library.
Thank you for reading, and thank you for your contributions to OSS!
Hi there --
In a monthly automated scan, a dependency of this library showed a security vulnerability.
Tracing the dependency tree, it looks like pycognito -> python-jose[cryptography] -> ecdsa. Normally I would look to the source of the issue for a fix, but it seems that:
It's particularly unfortunate since python-jose claims that the library in question isn't even in use for python-jose[cryptography]. Alas, for reporting reasons, my team will need to address it regardless.
I was hoping you could provide me some clarity on whether or not you intend to address the vulnerability within the scope of this library.
Thank you for reading, and thank you for your contributions to OSS!